Add PKCE, Scopes, and Logout Redirect URL Support to the OIDC Policy

[writemike]

Is your feature request related to a problem? Please describe:
To have feature parity with the NGINX Plus OIDC Reference Implementation I would like to see a key/value pair added to the OIDC Policy declaration to include enabling PKCE, updating scopes, and adding a Logout Redirect URL.

Describe the solution you'd like:
I would like to see a key/value pair added to the OIDC Policy declaration to include enabling PKCE ($oidc_pkce_enable 1), updating scopes ($oidc_scopes), and adding a Logout Redirect URL ($oidc_logout_redirect).

Describe alternatives you've considered:
Not sure if we could use Server/Location Snippets to meet this requirement with the map directives in the openid_connect_configuration.conf file.

Additional context:
PKCE could be automatically marked true (Implemented) if the clientSecret value is left blank, unless there is a use case where both would be needed? Scopes and Logout URI would use the defaults if not updated and therefore be optional.

Some more detail, I'm looking more for feature parity with this OIDC Reference Implementation which looks like the same implementation added to the latest version of KIC (If you exec into the KIC pod and look in the /etc/nginx/oidc folder, you will see the same code used). We are just missing these 3x variables to make the 2 solutions equivalent. All the code is already in /etc/nginx/oidc, on KIC, but these 3x variables ($oidc_pkce_enable, $oidc_scopes, and $oidc_logout_redirect) were not included in the OIDC Policy configuration which is what I am asking about.

[github-actions]

Hi @writemike thanks for reporting!

Be sure to check out the docs while you wait for a human to take a look at this 🙂

Cheers!

[brianehlert]

The most complete OIDC example that I have seen is here: https://github.com/magicalyak/ansible-role-nginx-ingress-oidc
But that is not the same as being a first class citizen in the policy

[writemike]

Some more detail, I'm looking more for feature parity with this OIDC Reference Implementation which looks like the same implementation added to the latest version of KIC (If you exec into the KIC pod and look in the /etc/nginx/oidc folder, you will see the same code used). We are just missing these 3x variables to make the 2 solutions equivalent. All the code is already in /etc/nginx/oidc, on KIC, but these 3x variables ($oidc_pkce_enable, $oidc_scopes, and $oidc_logout_redirect) were not included in the OIDC Policy configuration which is what I am asking about.

[brianehlert]

OIDC Policy supports only a subset of options:
https://docs.nginx.com/nginx-ingress-controller/configuration/policy-resource/#oidc

This is a reflection of not keeping up to date with updates to the OIDC reference implementation.

[brianehlert]

Custom scopes are supported with: #3863

[pdabelf5]

OIDC Logout redirect URL is now with: #6092

[shaun-nx]

Hi @writemike
To keep you informed, as @pdabelf5 said, we've added the ability to specify the OIDC Logout Redirect URL in #6092. This is currently in main and will be available in release 3.7.0 , which is targeted for September 30th

Regarding OIDC Scopes, this is is available in our OIDC Policy

As for supporting the $oidc_pkce_enable directive, I'll bring this one to the team and we can assess the priority of adding this, and we will get back to you on that as soon as we know.

I am currently in the process of grooming our existing issues, starting with the oldest ones, so I hope we can give you a response sooner than later 🙂

[anderius]

Any news about the oidc_pkce_enable directive? We need this.

[pdabelf5]

Hi @anderius the $oidc_pkce_enable directive will be worked on in #6713. This will be implemented in the near future and should be available in an upcoming release.